PHP

Good and Bad Php code

Connect PHP to SAP

Pre-interview Questions

Php Articles

PHP

What is PHP?

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. If you are new to PHP and want to get some idea of how it works, try the introductory tutorial. After that, check out the online manual, and the example archive sites and some of the other resources available in the links section.

Today it is exactly three years ago since PHP 5 has been released. In those three years it has seen many improvements over PHP 4. PHP 5 is fast, stable & production-ready and as PHP 6 is on the way, PHP 4 will be discontinued.

The PHP development team hereby announces that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08. Please use the rest of this year to make your application suitable to run on PHP 5.

For documentation on migration for PHP 4 to PHP 5, we would like to point you to our migration guide. There is additional information available in the PHP 5.0 to PHP 5.1 and PHP 5.1 to PHP 5.2 migration guides as well.
PHP 5.2.3 Released
[31-May-2007]

The PHP development team would like to announce the immediate availability of PHP 5.2.3. This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release.

Further details about the PHP 5.2.3 release can be found in the release announcement for 5.2.3, the full list of changes is available in the ChangeLog for PHP 5.

Security Enhancements and Fixes in PHP 5.2.3:

* Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872)
* Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756)
* Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900)
* Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk)
* Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
* Added mysql_set_charset() to allow runtime altering of connection encoding.

For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.3.
PHP 5.2.2 and PHP 4.4.7 Released
[02-May-2007]

The PHP development team would like to announce the immediate availability of PHP 5.2.2 and availability of PHP 4.4.7. These releases are major stability and security enhancements of the 5.x and 4.4.x branches, and all users are strongly encouraged to upgrade to it as soon as possible. Further details about the PHP 5.2.2 release can be found in the release announcement for 5.2.2, the full list of changes is available in the ChangeLog for PHP 5. Details about the PHP 4.4.7 release can be found in the release announcement for 4.4.7, the full list of changes is available in the ChangeLog for PHP 4.

Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7:

* Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
* Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
* Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser)
* Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser)
* Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
* Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser).
* Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
* Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev)

Security Enhancements and Fixes in PHP 5.2.2 only:

* Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser)
* Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser)
* Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia)
* Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). (by Ilia Alshanetsky)
* Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky)
* Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser)
* Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser)

Security Enhancements and Fixes in PHP 4.4.7 only:

* XSS in phpinfo() (MOPB-8 by Stefan Esser)

Good and Bad PHP Code

The following is republished from the Tech Times #165.

When interviewing a PHP developer candidate for a job at SitePoint, there is one question that I almost always ask, because their answer tells me so much about the kind of programmer they are. Here’s the question: “In your mind, what are the differences between good PHP code and bad PHP code?”

The reason I like this question is because it tests more than just a candidate’s encyclopedic knowledge of PHP’s functions. Zend’s PHP certification does a good job of that (as does the test that Yahoo! issues to applicants for its PHP developer jobs, apparently).

Rather, the answer to this question tells me whether a PHP developer has, for example, experienced the pain of working with poorly-written code inherited from a careless predecessor, and whether he or she will go the extra mile to save the rest of the team from that same pain.

I don’t have a set notion of the perfect answer to the question, but I do know the kinds of things I’m hoping to hear. Just off the top of my head:

Good PHP code should be structured. Long chunks of code can be broken up into functions or methods that achieve sub-tasks with simple code, while non-obvious snippets should be commented to make their meaning plain. As much as possible, you should separate frontend HTML/CSS/JavaScript code from the server-side logic of your applications. PHP’s object oriented programming features give you some especially powerful tools to break up your applications into sensible units.

Good PHP code should be consistent. Whether that means setting rules for the names of variables and functions, adopting standard approaches to recurring tasks like database access and error handling, or simply making sure all of your code is indented the same way, consistency makes your code easier for others to read.

Good PHP code should be portable. PHP has a number of features, such as magic quotes and short tags, that can break fragile code when they are switched on or off. If you know what you’re doing, however, you can write code that works by adapting to its environment.

Good PHP code should be secure. While PHP offers excellent performance and flexibility out of the box, it leaves important issues like security entirely in the hands of the developer. A deep understanding of potential security holes like Cross-Site Scripting (XSS), Cross-Site Request Forgeries (CSRF), code injection vulnerabilities, and character encoding loopholes is essential for a professional PHP developer these days.

Once a candidate has answered this question, I usually have a pretty good idea of whether they’ll be hired or not. Of course, there’s always the possibility that an interviewee simply isn’t able to articulate these types of things, so we also have our candidates sit a PHP developer exam.

Many of the questions in this exam seem straightforward on the surface, but they give candidates plenty of opportunity to show how much they care about the little details.

The following “bad” code is a highly simplified example of the sort of thing we might put in our PHP developer exam. The question might be something like “How would you rewrite this code to make it better?”

<?
echo("<p>Search results for query: " .
    $_GET['query'] . ".</p>");
?>

The main problem in this code is that the user-submitted value ($_GET['query']) is output directly to the page, resulting in a Cross Site Scripting (XSS) vulnerability. But there are plenty of other ways in which it can be improved.

So, what sort of answer are we hoping for?

Good:

<?
echo("<p>Search results for query: " .
    htmlspecialchars($_GET['query']) . ".</p>");
?>

This is the least we expect. The XSS vulnerability has been remedied using htmlspecialchars to escape dangerous characters in the submitted value.

Better:

<?php
if (isset($_GET['query']))
{
  echo '<p>Search results for query: ',
      htmlspecialchars($_GET['query'], ENT_QUOTES), '.</p>';
}
?>

Now this looks like someone we might want to hire:

The “short” opening PHP tag (<?) has been replaced with the more portable (and XML-friendly) <?php form.
Before attempting to output the value of $_GET['query'], isset is used to verify that it actually has a value.
The unnecessary brackets (()) around the value passed to echo have been removed.
Strings are delimited by single quotes instead of double quotes to avoid the performance hit of PHP searching for variables to interpolate within the strings.
Rather than using the string concatenation operator (.) to pass a single string to the echo statement, the strings to be output by echo are separated by commas for a tiny performance boost.
Passing the ENT_QUOTES argument to htmlspecialchars to ensure that single quotes (') are also escaped isn’t strictly necessary in this case, but it’s a good habit to get into.

Somewhat distressingly, the number of PHP developers looking for work that are able to give a fully satisfactory answer to this sort of question—at least here in Melbourne—are few and far between. We spent a good three months interviewing for this latest position before we found someone with whom we were happy!

So, how would you do when asked a question like this one? Are there any factors that make PHP code good or bad that you feel I’ve left out? And what else would you look for in a PHP developer?

Connect PHP to SAP

In the current issue of the International PHP Magazine their is a very nice tutorial done how connecting PHP with SAP, those who attending the Las Vegas SAP TechEd might have seen this tutorial for those who missed it there I highly recommend checking out the current issue and take a look.

It combines the basics of PHP and AJAX with the power of an SAP backend, the beauty of the tutorial is the ease of use and the hint of what is possible with the versitility of PHP and the flexibility of SAP.

PHP Questions

1. Which of the following will not add john to the users array?

         1. $users[] = john;
         2. array_add($users,john);
         3. array_push($users,john);
         4. $users ||= john

2. What is the difference between sort(), assort() and ksort? Under what circumstances would you use each of these?

3. What would the following code print to the browser? Why?

      $num = 10;
      function multiply(){

            $num = $num * 10;
      }
      multiply();
      echo $num;

4. What is the difference between a reference and a regular variable? How do you pass by reference & why would you want to?

5. What functions can you use to add library code to the currently running script?

6. What is the difference between foo() & @foo()?

7. How do you debug a PHP application?

8. What does === do? What’s an example of something that will give true for ‘==’, but not ‘===’?

9. How would you declare a class named myclass? with no methods or properties?

10. How would you create an object, which is an instance of myclass??

11. How do you access and set properties of a class from within the class?

12. What is the difference between include & include_once? include & require?

13. What function would you use to redirect the browser to a new page?

         1. redir()

         2. header()
         3. location()
         4. redirect()

14. What function can you use to open a file for reading and writing?

         1. fget();
         2. file_open();
         3. fopen();
         4. open_file();

15. WhatÃ¢â‚¬â„¢s the difference between mysql_fetch_row() and mysql_fetch_array()?

16. What does the following code do? Explain what is going on there.

      $date08/26/2003
      print ereg_replace(([0-9]+)/([0-9]+)/([0-9]+)2/\\1/\\3,$date);

17. Given a line of text $string, how would you write a regular expression to strip all the HTML tags from it?

18. What is the difference between the way PHP and Perl distinguish between arrays and hashes?

19. How can you get round the stateless nature of HTTP using PHP?

20. What does the GD library do?

21. Name a few ways to output (print) a block of HTML code in PHP?

22. Is PHP better than Perl? Discuss.